WinBlueSoft - Infection

Hi,

My PC has been infected with the WinBlueSoft Trojan. I have uninstalled it, but it still persists.

I cannot open Window Live Onecare or any of my hard drives. I have installed Malware Bytes & Spyware Doctor but these programs will not open.

Your help would be greatly appreciated.

I have followed your instructions and here is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:18:48, on 03/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\sfmgr\sfmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\RICHARD\Desktop\HiJack(GP)This.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1a1ddc19-5893-43ab-a73f-f41a0f34d115} - C:\Program Files\Video ActiveX Object\isaddon.dll (file missing)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.3.2.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Protection Bar - {5d4831e0-5a7c-4a46-afd5-a79ab8ce36c2} - C:\Program Files\Video ActiveX Object\iesplugin.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNfox000
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.3.3.2.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1158169677858
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1158169665905
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - http://game06.zylom.com/activex/zylomgamesplayer.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.67,85.255.112.170
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.67,85.255.112.170
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.67,85.255.112.170
O20 - AppInit_DLLs: blocker.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: CaReTaKeR-CT NetMgr 1.2.1 (sfmgr) - Unknown owner - C:\sfmgr\sfmgr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

--
End of file - 10373 bytes

Thanking you in advance

I see that you are running BitComet.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

If BitComet is not removed, then I won't help you.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

• BitComet
  
• Java(TM) 6 Update 7
  

Lets start killing this stuff now.

• Open HijackThis.
  
• When Hijack This opens, click "Open the Misc Tools section"
  
• Then select "Delete a file on reboot..."
  
• Then find and select this file: C:\windows\system32\blocker.dll
  
• Select okay and select yes to reboot.
  

After reboot, we need to clean a few things up in the normal Hijack This system scan.

• Open HijackThis again.
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  O2 - BHO: (no name) - {1a1ddc19-5893-43ab-a73f-f41a0f34d115} - C:\Program Files\Video ActiveX Object\isaddon.dll (file missing)
  O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
  O3 - Toolbar: Protection Bar - {5d4831e0-5a7c-4a46-afd5-a79ab8ce36c2} - C:\Program Files\Video ActiveX Object\iesplugin.dll (file missing)
  O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
  O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - http://game06.zylom.com/activex/zylomgamesplayer.cab
  O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.67,85.255.112.170
  O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.67,85.255.112.170
  O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.67,85.255.112.170
  O20 - AppInit_DLLs: blocker.dll
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

Let me know once you've done that.

Hi Belahzur,

Thank you for the prompt response and for the help so far.

I have done as you have requested.

I have uninstalled BitComet and Java Update 6 to 7.

I await further instruction

Hi, I have turned off both Windows Live Onecare firewall & antivirus.
I downloaded the Combofix, installed it but it wont run?

I downloaded it again but it says I cannot rename combfix to combofix(2).

I might've done something dumb without realising?

Hello.
Delete your copy of Combofix you have right now.

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Hi,

Here is the log(in 3 parts):

PART 1

ComboFix 09-06-01.03 - RICHARD 03/06/2009 23:35.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.768.423 [GMT 1:00]
Running from: c:\documents and settings\RICHARD\My Documents\Combo-Fix.exe
AV: Windows Live OneCare *On-access scanning disabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: Windows Live OneCare Firewall *disabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\FunWebProducts
c:\program files\FunWebProducts\ScreenSaver\Images\0142B9FB.urr
c:\program files\INSTALL.LOG
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\History\search2
c:\program files\MyWebSearch\bar\Settings\prevcfg2.htm
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\program files\video activex object
C:\setup.exe
c:\windows\105185otza-v9rus587.ocx
c:\windows\10895not-z-5irus29.cpl
c:\windows\109595pambozc3.cpl
c:\windows\10zfvir5896.cpl
c:\windows\111zdownl59der2520.bin
c:\windows\11314virzs9395.cpl
c:\windows\119459otza-vir5s23d.cpl
c:\windows\11f8spy9arz9835.ocx
c:\windows\11z929py5da.cpl
c:\windows\120699zoj27a5.exe
c:\windows\1267a9zwa5e266.ocx
c:\windows\12898w5rmz96.bin
c:\windows\1295z5ckdoor2385.exe
c:\windows\13082spazbo9514.cpl
c:\windows\13192vzru94c95.cpl
c:\windows\13198n5t-a-9iruz620.exe
c:\windows\133zdo9nload5r1536.dll
c:\windows\13465pyware58z9.exe
c:\windows\1385s9arze1553.exe
c:\windows\13885ha9kto5lze5.ocx
c:\windows\13925t9zj17d.dll
c:\windows\13947worm6z85.ocx
c:\windows\1394ztr5j308.ocx
c:\windows\14065vir9s52z.bin
c:\windows\142795irzs52d.cpl
c:\windows\14594wormbz.exe
c:\windows\14970noz-a-vi9us365.bin
c:\windows\14998spy9z5.dll
c:\windows\14c3d5wn9oader345z.ocx
c:\windows\14d2t9iefz9845.cpl
c:\windows\14e9z5ckdoor1405.exe
c:\windows\15059sp9zf.ocx
c:\windows\15399notz5-virus54.dll
c:\windows\154dthre9t857z.exe
c:\windows\15588not-9-zirus2da.bin
c:\windows\15652spamzo9592.cpl
c:\windows\1569zvirus39b.dll
c:\windows\1576addwarez9799.exe
c:\windows\15976wor5z1.cpl
c:\windows\15d1t5reat8906z.exe
c:\windows\15z289orm25d.bin
c:\windows\15z88hack5oo9499.exe
c:\windows\165a59warez658.dll
c:\windows\166915py417z.ocx
c:\windows\1698sz9wa5e1816.dll
c:\windows\169cthz5at19432.exe
c:\windows\1707ztr5j5139.exe
c:\windows\171229ozm5e4.dll
c:\windows\17336hacz59ol267.ocx
c:\windows\17940s5y5fz.cpl
c:\windows\17952vizus5239.bin
c:\windows\18eedownloa9z5449.exe
c:\windows\18z95worm5b6.bin
c:\windows\19055parsz1532.cpl
c:\windows\19277not-a-viz5s76e.cpl
c:\windows\193585zrus82.dll
c:\windows\19505szamb9tec.exe
c:\windows\19759s9y4zd.cpl
c:\windows\1981spamboz25f.exe
c:\windows\19867n5t-a-zirusa9.bin
c:\windows\19980hackto5l295z.bin
c:\windows\1999zspambot5f3.cpl
c:\windows\19b2thie5219z.exe
c:\windows\19z289pam5ot7d8.cpl
c:\windows\19z63v9r5s76.dll
c:\windows\1a95d5wnzoader1208.bin
c:\windows\1b53bazk9oor1357.cpl
c:\windows\1c7zdow5loader9878.dll
c:\windows\1cc3d5wnloader19z9.exe
c:\windows\1d8a5hizf2962.ocx
c:\windows\1d9bthrezt52184.cpl
c:\windows\1efcthrezt33795.bin
c:\windows\1z539virus197.cpl
c:\windows\1z690t9oj254.bin
c:\windows\1z735t9oj4b5.exe
c:\windows\1z8175o9m2e1.bin
c:\windows\20342not-5-viru94za.cpl
c:\windows\204ctzrea526925.cpl
c:\windows\205119rojz2a.bin
c:\windows\20558t9zj1ae.dll
c:\windows\205739irusz55.bin
c:\windows\21538wo9mz95.ocx
c:\windows\21956troj7cz9.dll
c:\windows\223835roz91.ocx
c:\windows\224459zru5738.bin
c:\windows\22578z9rus765.ocx
c:\windows\22959spy5z9.ocx
c:\windows\23049ir5s73z.bin
c:\windows\231949zy5f5.bin
c:\windows\23513spambot6z9.exe
c:\windows\23666t5ojz9a.cpl
c:\windows\23915troj4z8.cpl
c:\windows\24076not-a-vzr5s7819.ocx
c:\windows\240haz5too9551.cpl
c:\windows\2424not-95vizus4cc.dll
c:\windows\242eszy5a9e988.exe
c:\windows\245cs5arse569z.bin
c:\windows\24858not-z-viru9106.cpl
c:\windows\249645ro9570z.cpl
c:\windows\25093hacztool4b9.cpl
c:\windows\25310t9oz1f0.ocx
c:\windows\25318not5a-viruz1f9.exe
c:\windows\25405spamb9tzfa.ocx
c:\windows\25669orz5e5.ocx
c:\windows\25955virus5zb.cpl
c:\windows\25995trojz5f.dll
c:\windows\25998not-a-v9rus105z.exe
c:\windows\25c9sz5a9581.dll
c:\windows\25fzthrea98513.cpl
c:\windows\261499ir5s5z1.bin
c:\windows\2619zhief2156.cpl
c:\windows\264155iruz394.cpl
c:\windows\2665downloadzr597.bin
c:\windows\2692sz55c9.cpl
c:\windows\26z1v9rus558.ocx
c:\windows\270z49roj58f.bin
c:\windows\27995pazse144.bin
c:\windows\279z0spy459.dll
c:\windows\2808baczd59r3170.exe
c:\windows\286995ot-a-virzs484.bin
c:\windows\28787szy4d59.dll
c:\windows\28b8thiez29355.ocx
c:\windows\28z97spy543.exe
c:\windows\2905bac9dozr3067.exe
c:\windows\29130w5rz498.cpl
c:\windows\29271zirus1de5.exe
c:\windows\29841spy5bz9.ocx
c:\windows\29900vir5s782z.ocx
c:\windows\2995zwor9567.bin
c:\windows\29d359iefz324.cpl
c:\windows\29de5ddzare1169.bin
c:\windows\29dz5dd9are601.ocx
c:\windows\29z58vi5us4cb.cpl
c:\windows\29z84worm6d59.exe
c:\windows\2a39v5r18z0.exe
c:\windows\2c60spyzare9589.ocx
c:\windows\2c8doznl9a5er1643.exe
c:\windows\2z2639irus759.exe
c:\windows\2z556virus9ac.dll
c:\windows\2z779spy2f65.exe
c:\windows\2z813vir5s5b19.dll
c:\windows\3033b5ckdzor28539.exe
c:\windows\30918spambot605z.cpl
c:\windows\30z59orm693.exe
c:\windows\31389sp5mbot1za.exe
c:\windows\31951sp5mbot277z.cpl
c:\windows\31z019py545.dll
c:\windows\31z919orm745.ocx
c:\windows\32240nzt9a-virus551.dll
c:\windows\32415w9zm5fd.cpl
c:\windows\328zthre59514.exe
c:\windows\32907n5z-a-virus668.ocx
c:\windows\32czir12519.ocx
c:\windows\33a7z9r55.cpl
c:\windows\33d8threatz095.ocx
c:\windows\3435sp93z.ocx
c:\windows\34b8vir155z9.exe
c:\windows\35747virzs39a.cpl
c:\windows\369csteal105z5.dll
c:\windows\3886v9rus5z9.dll
c:\windows\389fzi52471.exe
c:\windows\394daddwaze7715.ocx
c:\windows\39918szy7e5.cpl
c:\windows\39a15pazse701.bin
c:\windows\3b5add9are3259z.cpl
c:\windows\3c56doznl5a9er1735.exe
c:\windows\3c5adownlo5derz99.ocx
c:\windows\3z2eth59f92.exe
c:\windows\3z56vi91281.cpl
c:\windows\3z5fspars95201.dll
c:\windows\3zb9a5dware25029.ocx
c:\windows\3zb9a5dware578.ocx
c:\windows\4051noz-a-59rus3ae.exe
c:\windows\40a59pyware140z.dll
c:\windows\40ccb9czdoo52218.cpl
c:\windows\40z9tea52106.exe
c:\windows\419aaddwar5922z.dll
c:\windows\419zsparse5115.dll
c:\windows\426not-a-viruz5ba9.bin
c:\windows\434zstea513599.bin
c:\windows\4352szeal904.bin
c:\windows\4393vzrus54b5.cpl
c:\windows\44165or9z9d.ocx
c:\windows\455zsparse5009.ocx
c:\windows\45b9sp5rsez65.cpl
c:\windows\47a9a9dzar5917.exe
c:\windows\4875w9r56z7.exe
c:\windows\48b9thizf3055.cpl
c:\windows\48z5spars52998.exe
c:\windows\491bthreat5552z.cpl
c:\windows\4955do9nlzader541.ocx
c:\windows\4a51sparse94z2.dll
c:\windows\4b38zhief3590.cpl
c:\windows\4dzd9ownlo5der2488.exe
c:\windows\4e75hreat9z337.exe
c:\windows\4f2c9py5arez967.cpl
c:\windows\4f6za9d5are1192.exe
c:\windows\4z0dthief52209.ocx
c:\windows\50685ackto9lza3.ocx
c:\windows\5089spambot4z3.bin
c:\windows\50aazhre9t15767.exe
c:\windows\5129s5eaz325.exe
c:\windows\51585t9ojzc0.ocx
c:\windows\516esteal1199z.cpl
c:\windows\51afadz9are1488.bin
c:\windows\52428w9rm603z.cpl
c:\windows\525619ot-a-virusz78.ocx
c:\windows\5257thi9fz59.exe
c:\windows\52c2sparse8z9.dll
c:\windows\52z7downloader2759.cpl
c:\windows\530989rojz71.bin
c:\windows\53a9thr9at277z7.bin
c:\windows\54517vizus1909.ocx
c:\windows\54978zorm4cc9.bin
c:\windows\54c9threatz423.bin
c:\windows\5547ba5kzoor2992.exe
c:\windows\55b9thief9z8.exe
c:\windows\55bct9reat806z.dll
c:\windows\55bfthreat97z9.dll
c:\windows\55ebspazse2955.cpl
c:\windows\55f6zd9ware679.bin
c:\windows\5605ste9l5z9.dll
c:\windows\560sparsez2905.bin
c:\windows\5644ziru958.bin
c:\windows\5698thr9zt1785.dll
c:\windows\570zaddwar91528.cpl
c:\windows\57292haczto9l637.dll
c:\windows\579downlzad9r911.exe
c:\windows\57a1t9reat56z1.dll
c:\windows\58871spambzt3039.ocx
c:\windows\589szarse692.dll
c:\windows\58z5h9ck5ool8c.dll
c:\windows\59042w9rm1ez.ocx
c:\windows\5911st5al1z13.cpl
c:\windows\5916t5i9f1069z.dll
c:\windows\5949hazktool48f.ocx
c:\windows\595dbackdo952456z.dll
c:\windows\595thzef3120.bin
c:\windows\5964viz9s539.ocx
c:\windows\599379pambzt68e.exe
c:\windows\59d2zpyware15385.ocx
c:\windows\59z1vir185.cpl
c:\windows\5a5adown9oader1599z.bin
c:\windows\5a7back5zo9857.cpl
c:\windows\5ae9vi5257z.exe
c:\windows\5bc6thi5z2197.exe
c:\windows\5bf7sparse2559z.cpl
c:\windows\5c15spyw9rez552.bin
c:\windows\5c4eadzwa5e2982.bin
c:\windows\5cb5szarse5691.dll
c:\windows\5d4fdo9nloader236z.exe
c:\windows\5da69hreatz5053.bin
c:\windows\5e15st9al324z.cpl
c:\windows\5eza9i5111.cpl
c:\windows\5f38sz59l2518.ocx
c:\windows\5f70tzr5at25909.exe
c:\windows\5z0esteal29505.cpl
c:\windows\5z14back5oor79.ocx
c:\windows\5z6a9dware1283.exe
c:\windows\5z99addwa5e394.exe
c:\windows\5zccthief1429.cpl
c:\windows\602ctzief9351.bin
c:\windows\6040zt5al9847.ocx
c:\windows\60c9spars53159z.cpl
c:\windows\6118b5ckdzor992.ocx
c:\windows\61595hreat2z9119.bin
c:\windows\626ethreat95z39.dll
c:\windows\636fthr9at595z.exe
c:\windows\64455zrm93a.ocx
c:\windows\64b7dozn9oader1854.cpl
c:\windows\65bzir2793.cpl
c:\windows\6651zhreat31291.dll
c:\windows\6753thze92444.exe
c:\windows\675fsp9wzre1195.cpl
c:\windows\67d59wzloader2569.dll
c:\windows\680wo9m755z.bin
c:\windows\6850szyware1699.cpl
c:\windows\6854z9r509.bin
c:\windows\68a1th5ef93z1.cpl
c:\windows\6985vzr5s69a.cpl
c:\windows\69c9downl59dez505.exe
c:\windows\6a99addwar5796z.dll
c:\windows\6b24downl9a5er24z2.bin
c:\windows\6b55dow5loaz9r1084.ocx
c:\windows\6cffzp5rse9213.dll
c:\windows\6d7bz9dware28155.ocx
c:\windows\6dfab5ckdozr21199.ocx
c:\windows\6fz9t9ief5013.exe
c:\windows\6z1as9yware2519.cpl
c:\windows\6z90sparse2551.dll
c:\windows\6zc8sp5r9e323.cpl
c:\windows\709evir3z675.bin
c:\windows\71zsp9mbot6645.exe
c:\windows\7250s9y7bdz.ocx
c:\windows\72z59hief3115.exe
c:\windows\734ad5wnloa9er6z.dll
c:\windows\7399thizf7675.exe
c:\windows\73f5stz9l5861.dll
c:\windows\74bz9hre5t14129.bin
c:\windows\7512ha5ktoo9340z.bin
c:\windows\7535zi517569.bin
c:\windows\7593doznloader955.dll
c:\windows\759b9parse3z4.ocx
c:\windows\75zeth5ef6539.cpl
c:\windows\7681spamz9t26e5.bin
c:\windows\76895cztool309.exe
c:\windows\77559ir5sz89.cpl
c:\windows\7796z5r2729.ocx
c:\windows\789f9d5zare1124.bin
c:\windows\7950thzeat22756.bin
c:\windows\79725pz7679.exe
c:\windows\79865dd9arez38.ocx
c:\windows\799zthief13585.cpl
c:\windows\7a9addw5re96z8.dll
c:\windows\7d73thzeat295649.cpl
c:\windows\7da59ownloadez1431.dll
c:\windows\7e0095ywarz2768.bin
c:\windows\7e79ad5ware9z65.cpl
c:\windows\7f109zwnloader2085.exe
c:\windows\7f4159dware2920z.dll
c:\windows\7z79spy9are16155.dll
c:\windows\7zfbt59eat20313.bin
c:\windows\82889pa5zot4f2.ocx
c:\windows\8369ha5ktoolzde.ocx
c:\windows\855ztroj7b59.bin
c:\windows\85z4s9y53c.dll
c:\windows\8739hac9tz5l465.ocx
c:\windows\8b0a5dware199z.cpl
c:\windows\8z61n9t-a-vir5s330.exe
c:\windows\90ebs5arse194z.exe
c:\windows\91332v5rus406z.dll
c:\windows\9372vir25z5.bin
c:\windows\94d2vzr753.dll
c:\windows\94d6downloadz51986.cpl
c:\windows\95ezaddw5re1467.dll
c:\windows\9608zorm5479.ocx
c:\windows\9650wo9z3bb.bin
c:\windows\96544spambzt29e.bin
c:\windows\967z5troj6e3.ocx
c:\windows\9695zorm973.exe
c:\windows\972z9o5m783.dll
c:\windows\9755virus518z.dll
c:\windows\97749acktoolz55.ocx
c:\windows\98323t5oz380.bin
c:\windows\99368sp54b1z.ocx
c:\windows\99zsteal18465.ocx
c:\windows\9adzthi5f1938.cpl
c:\windows\9c9stea527z9.dll
c:\windows\9cecspyw5re20z7.bin
c:\windows\9d4zaddwar51366.cpl
c:\windows\9z725spambot5c1.exe
c:\windows\9z84w5rm5769.cpl
c:\windows\9z96addw5re1493.exe
c:\windows\9zabackdo5r9385.ocx
c:\windows\b91ztea52398.cpl
c:\windows\bbzthre5t61799.bin
c:\windows\bz6t5rea918427.ocx
c:\windows\c27b5ckzoor18189.cpl
c:\windows\c77szea916435.exe
c:\windows\d26spyzare1569.dll
c:\windows\d50add5zre6819.cpl
c:\windows\e58spa9sz1569.exe
c:\windows\f91v5r1z38.bin

PART 2

c:\windows\system32\1022zt9oj58.exe
c:\windows\system32\10761noz-a-viru5669.ocx
c:\windows\system32\1099szy125.ocx
c:\windows\system32\109z85irus2a.bin
c:\windows\system32\11452spam9ot59z.ocx
c:\windows\system32\11649hzckto95317.dll
c:\windows\system32\116fba9zdoor1599.ocx
c:\windows\system32\1199szeal2659.dll
c:\windows\system32\11z39hacktool335.dll
c:\windows\system32\12109t5oj7zc.bin
c:\windows\system32\1255zhreat19282.bin
c:\windows\system32\12979wozm32f5.cpl
c:\windows\system32\1299th5zf1860.cpl
c:\windows\system32\13196zpy5db9.exe
c:\windows\system32\133539py5dz.cpl
c:\windows\system32\13397not-azvirus657.cpl
c:\windows\system32\13561haczt9ol4d8.exe
c:\windows\system32\13944w9rm7e5z.exe
c:\windows\system32\144z0hac9tool15f.cpl
c:\windows\system32\14537zp56b9.dll
c:\windows\system32\14815w59mzb.bin
c:\windows\system32\1504spamb5z5b59.cpl
c:\windows\system32\15238wo9mzb5.cpl
c:\windows\system32\15285hz9kto5l56b.exe
c:\windows\system32\15325spambzt9e4.cpl
c:\windows\system32\15494spyzaf.exe
c:\windows\system32\15540sp9z79.exe
c:\windows\system32\15635ha9ktzol26e.exe
c:\windows\system32\15714za9kt5ol545.dll
c:\windows\system32\157cdownl9azer1622.exe
c:\windows\system32\15919wo9m6edz.bin
c:\windows\system32\1597zspa5bot159.cpl
c:\windows\system32\15a3zte5l2915.cpl
c:\windows\system32\16295cktzol5f.exe
c:\windows\system32\1667zh5ckt9ol3c5.ocx
c:\windows\system32\1675zir9381.exe
c:\windows\system32\1678zhacktoo527d9.bin
c:\windows\system32\16905tr9j5z7.cpl
c:\windows\system32\173855irusz69.dll
c:\windows\system32\17531wormz9.exe
c:\windows\system32\1797s5ywzre2254.bin
c:\windows\system32\18137nzt-a-v9rus635.dll
c:\windows\system32\18425no9-a-v5rzs659.exe
c:\windows\system32\18737v9ruszf5.exe
c:\windows\system32\18975szycd.exe
c:\windows\system32\19003vzr5s6a.cpl
c:\windows\system32\19030spamb5t7zd.ocx
c:\windows\system32\1905hack9oolz58.cpl
c:\windows\system32\19523hac95ooz18d.exe
c:\windows\system32\19542vzrus994.exe
c:\windows\system32\19d5adz5are3036.ocx
c:\windows\system32\19z15v5rus1fc.ocx
c:\windows\system32\19z49s9ambo5443.cpl
c:\windows\system32\19z67spy1c85.cpl
c:\windows\system32\1aa5downlozde9583.cpl
c:\windows\system32\1b075par9z1912.exe
c:\windows\system32\1b58steal9155z.bin
c:\windows\system32\1bzdo5nloader22489.bin
c:\windows\system32\1e1s9yw5rz3013.cpl
c:\windows\system32\1e29sparse5628z.ocx
c:\windows\system32\1f7cth95zt21438.dll
c:\windows\system32\1z58759y614.exe
c:\windows\system32\1z92thief5419.ocx
c:\windows\system32\1z96do5nloader2869.cpl
c:\windows\system32\1zb3sparse28529.ocx
c:\windows\system32\202z5s5a9bot71.cpl
c:\windows\system32\21258n9tza-v5rus767.exe
c:\windows\system32\21399t5ojzb9.ocx
c:\windows\system32\22363h5ckt9zl32d.cpl
c:\windows\system32\226595ot-a-vi9usz8b.bin
c:\windows\system32\22852virus925z.dll
c:\windows\system32\23179spy52z.ocx
c:\windows\system32\23449iz1950.cpl
c:\windows\system32\234spyware152z9.exe
c:\windows\system32\239795ozm7eb.exe
c:\windows\system32\23991not-a-virusa5z.exe
c:\windows\system32\239spzware11015.ocx
c:\windows\system32\23a2backzo9r1395.cpl
c:\windows\system32\24449w9zmc5.exe
c:\windows\system32\244565pz9bot28.exe
c:\windows\system32\24e5spyware3z90.exe
c:\windows\system32\24z5i9858.dll
c:\windows\system32\25025sp9mbzt414.cpl
c:\windows\system32\251edownl9zder28915.ocx
c:\windows\system32\25374spyz94.cpl
c:\windows\system32\25386h5c9tool6bz.ocx
c:\windows\system32\2562tzr5at193319.ocx
c:\windows\system32\25701z9oj12f.dll
c:\windows\system32\2589thief150z.ocx
c:\windows\system32\25945szambot4fc5.dll
c:\windows\system32\25973troj55cz.bin
c:\windows\system32\25z9worm9b6.exe
c:\windows\system32\26019haczt5ol7f.ocx
c:\windows\system32\26094hacktzol597.cpl
c:\windows\system32\26139spazb9t5905.dll
c:\windows\system32\26661s5ambzt4019.exe
c:\windows\system32\2754tr9jzf8.ocx
c:\windows\system32\2759thiefz979.cpl
c:\windows\system32\2769zw9rm48e5.exe
c:\windows\system32\277asp9rse1z555.exe
c:\windows\system32\2798zownload9r55.exe
c:\windows\system32\27z929pa5bot36f.exe
c:\windows\system32\28098trzj350.ocx
c:\windows\system32\28251hac59ozlce.ocx
c:\windows\system32\285zspy229.dll
c:\windows\system32\292665orm4z9.dll
c:\windows\system32\29322spz9bot35.dll
c:\windows\system32\2944threa5690z.exe
c:\windows\system32\294dbackdzor598.exe
c:\windows\system32\295z2tr9j458.exe
c:\windows\system32\295znot5a-v9rus70c.dll
c:\windows\system32\299addwarez875.cpl
c:\windows\system32\2a759hreat4695z.exe
c:\windows\system32\2b8fadd9zre2105.ocx
c:\windows\system32\2bdct5i9z798.bin
c:\windows\system32\2d5cadd9arez396.cpl
c:\windows\system32\2d65sp9ware64z.exe
c:\windows\system32\2f09dow5lo9der8z8.cpl
c:\windows\system32\2z438wor9152.exe
c:\windows\system32\2z52th9ef165.dll
c:\windows\system32\2z615hackto9l5c5.bin
c:\windows\system32\2z89ir5959.ocx
c:\windows\system32\2z932spambot593.ocx
c:\windows\system32\30359worm5z09.exe
c:\windows\system32\3050zwor5c9.ocx
c:\windows\system32\310eszy9are4415.exe
c:\windows\system32\3146d5wnlzader1093.cpl
c:\windows\system32\31554zpy69a.exe
c:\windows\system32\31555hackto9l47z.dll
c:\windows\system32\31655w9zm6995.cpl
c:\windows\system32\316729py5dz.dll
c:\windows\system32\31719trzj452.cpl
c:\windows\system32\3190795y7z.bin
c:\windows\system32\319ezhie9405.ocx
c:\windows\system32\31z9t5ie92169.ocx
c:\windows\system32\325959oj5z1.exe
c:\windows\system32\334ethzef29535.bin
c:\windows\system32\342troj95fz.bin
c:\windows\system32\343zsteal945.ocx
c:\windows\system32\34z5ir21169.cpl
c:\windows\system32\34zfd9wn5oader2394.dll
c:\windows\system32\3505spywar53z59.dll
c:\windows\system32\3512back9oorz987.cpl
c:\windows\system32\35534not-a9virus59dz.bin
c:\windows\system32\3565thre5t90277z.dll
c:\windows\system32\35a9spyw5rez427.cpl
c:\windows\system32\37d79dd5are17z9.exe
c:\windows\system32\38z3vir14569.dll
c:\windows\system32\3967adz5are329.ocx
c:\windows\system32\39b1sparse3z055.exe
c:\windows\system32\39f29ddzar51449.cpl
c:\windows\system32\3a589pywarz2274.exe
c:\windows\system32\3a9dadzw5re2223.bin
c:\windows\system32\3b96addwar524z0.bin
c:\windows\system32\3c86baz5doo933.ocx
c:\windows\system32\3d31a95ware79z.dll
c:\windows\system32\3d859irz372.bin
c:\windows\system32\3d9tzreat19045.ocx
c:\windows\system32\3deczown9o5der2050.exe
c:\windows\system32\3f94zpa5se2422.dll
c:\windows\system32\3z2fthie520729.ocx
c:\windows\system32\3z74s5eal1492.exe
c:\windows\system32\3z92spywa5e214.dll
c:\windows\system32\407595zm614.cpl
c:\windows\system32\4239virz510f.dll
c:\windows\system32\42z1vi9563.cpl
c:\windows\system32\4301th9ea53z395.cpl
c:\windows\system32\432w9z52c1.dll
c:\windows\system32\449zbackdo9r2915.bin
c:\windows\system32\4515add9arz423.exe
c:\windows\system32\459b9zar5e2528.ocx
c:\windows\system32\46ecsteaz29549.dll
c:\windows\system32\46f55py9arz2229.ocx
c:\windows\system32\4731n5t-a-9irusz87.bin
c:\windows\system32\47959ir5z59.dll
c:\windows\system32\47f8baz5do9r2239.exe
c:\windows\system32\48azspyware55499.dll
c:\windows\system32\49059parsez72.cpl
c:\windows\system32\49105zrm92d.dll
c:\windows\system32\494cvir2z125.bin
c:\windows\system32\495zirus87.cpl
c:\windows\system32\49c6d5znload9r1626.cpl
c:\windows\system32\49cdsteal188z5.bin
c:\windows\system32\4b59st5zl2931.dll
c:\windows\system32\4b7threaz255719.exe
c:\windows\system32\4b9fthief35z4.exe
c:\windows\system32\4bzfs59rse729.cpl
c:\windows\system32\4c1b5pywaze9978.ocx
c:\windows\system32\4d99zhreat17576.dll
c:\windows\system32\4e9threat1580z5.ocx
c:\windows\system32\4ec5a9dwarez57.dll
c:\windows\system32\50546not-a-viz9s541.cpl
c:\windows\system32\5069spambot58dz.bin
c:\windows\system32\50c9thzef2572.ocx
c:\windows\system32\50f4s9zware971.exe
c:\windows\system32\51253spam9oz392.cpl
c:\windows\system32\5130backdz5r899.ocx
c:\windows\system32\51522v9rus2zc.ocx
c:\windows\system32\52465woz95a8.cpl
c:\windows\system32\539zs95mbotd4.dll
c:\windows\system32\548a9hiefz590.bin
c:\windows\system32\5493steaz1593.bin
c:\windows\system32\549espy5are96z.exe
c:\windows\system32\551aaddwa9e23z15.cpl
c:\windows\system32\552worz960.ocx
c:\windows\system32\5554vir9762z.bin
c:\windows\system32\560189iruz559.ocx
c:\windows\system32\56019zy3c8.dll
c:\windows\system32\56e3vir215z9.cpl
c:\windows\system32\56e9addware2z90.bin
c:\windows\system32\570spyw9re1z39.exe
c:\windows\system32\5728zot-a-9irus51.bin
c:\windows\system32\57549parsz3232.cpl
c:\windows\system32\57z599pambot578.bin
c:\windows\system32\582zspy509.cpl
c:\windows\system32\58899p55cz.bin
c:\windows\system32\5893vizus5b9.bin
c:\windows\system32\58977t9zj29b.ocx
c:\windows\system32\58b6szarse1769.bin
c:\windows\system32\5919steaz4999.bin
c:\windows\system32\595dspywa95z555.ocx
c:\windows\system32\5962v5z1714.cpl
c:\windows\system32\5967thizf1756.exe
c:\windows\system32\5970spyware15z95.ocx
c:\windows\system32\59desparse27z7.dll
c:\windows\system32\59z9t5oj6e2.ocx
c:\windows\system32\5a419pyzare2354.ocx
c:\windows\system32\5b8e9zre5t9835.exe
c:\windows\system32\5ccazddwa9e2876.exe
c:\windows\system32\5dbfs5ezl195.exe
c:\windows\system32\5e51s5ywz9e54.exe
c:\windows\system32\5e98thre5z24609.exe
c:\windows\system32\5z64spy259.cpl
c:\windows\system32\5z6cth5ea92144.bin
c:\windows\system32\5z999tro9430.cpl
c:\windows\system32\605z95ief1433.ocx
c:\windows\system32\6075st9al2z37.ocx
c:\windows\system32\6185ha9ktool72fz.ocx
c:\windows\system32\651eaddwzre9366.dll
c:\windows\system32\652zsp5mbot9b0.exe
c:\windows\system32\657daddwarez6769.ocx
c:\windows\system32\66dddownlo5dez2139.ocx
c:\windows\system32\67e6zpywa9e1154.dll
c:\windows\system32\6838bazkdoor13925.bin
c:\windows\system32\683az5re9t2099.cpl
c:\windows\system32\686adownlo5der9z2.dll
c:\windows\system32\6879s9zmbot2d15.bin
c:\windows\system32\68b4d5wnlo9dez2971.dll
c:\windows\system32\6901viru5z.exe
c:\windows\system32\6982zirus5649.exe
c:\windows\system32\6a55thief9z98.exe
c:\windows\system32\6a93adzw9re3955.dll
c:\windows\system32\6ad59hreaz161085.bin
c:\windows\system32\6c9dbazkdoor5219.dll
c:\windows\system32\6f9cvzr3590.ocx
c:\windows\system32\6z33thr5a916883.dll
c:\windows\system32\71509iruz53.bin
c:\windows\system32\7261sz9mbot567.dll
c:\windows\system32\72f5szywa5e1799.bin
c:\windows\system32\7385th5ez1958.bin
c:\windows\system32\7509sparsz2483.bin
c:\windows\system32\759esparsez3499.cpl
c:\windows\system32\75e5thizf2498.dll
c:\windows\system32\75e5zhief14695.exe
c:\windows\system32\75zfth59f3060.cpl
c:\windows\system32\7695vir2145z.exe
c:\windows\system32\772dbaczdoor9915.ocx
c:\windows\system32\77f59ac5dooz2500.exe
c:\windows\system32\7854spazse559.ocx
c:\windows\system32\78bv9r310z5.dll
c:\windows\system32\7933v5r24z8.ocx
c:\windows\system32\79425ownloaderz419.bin
c:\windows\system32\799badd9ar58z3.cpl
c:\windows\system32\79dbvirz550.exe
c:\windows\system32\7a97sp9waz5962.bin
c:\windows\system32\7cd6downlozder3957.bin
c:\windows\system32\7d57threz99207.dll
c:\windows\system32\7dfdspy9arz5526.cpl
c:\windows\system32\7f5dazdware5499.exe
c:\windows\system32\7f5dzh5e9604.cpl
c:\windows\system32\7fastz5l7699.cpl
c:\windows\system32\7z9e95yware562.bin
c:\windows\system32\8179spamb9z159.cpl
c:\windows\system32\857zparse976.ocx
c:\windows\system32\8605wo9m3zf.dll
c:\windows\system32\8607spz259.exe
c:\windows\system32\90509zorm55a.ocx

PART 3

c:\windows\system32\907adzwnloader1572.bin
c:\windows\system32\909zvi5us497.bin
c:\windows\system32\91455hacktool3fz.dll
c:\windows\system32\91540not-a-zirus1e1.ocx
c:\windows\system32\9171tro95z5.cpl
c:\windows\system32\91d1bazkdoor18045.cpl
c:\windows\system32\91z23virus785.ocx
c:\windows\system32\924725izus83.cpl
c:\windows\system32\925back9ozr562.exe
c:\windows\system32\92906szambot75.exe
c:\windows\system32\92z78worm75a.cpl
c:\windows\system32\9357spaz5ot55.exe
c:\windows\system32\9377n5t-9-virus489z.bin
c:\windows\system32\93z95troj2ef.dll
c:\windows\system32\94092trojz5b.ocx
c:\windows\system32\952t5ief27z99.ocx
c:\windows\system32\953z9hacktool758.dll
c:\windows\system32\9547baczd5or1839.bin
c:\windows\system32\95507spz39.dll
c:\windows\system32\95bazd9ar52595.ocx
c:\windows\system32\96z63spa5bot44d.exe
c:\windows\system32\9872spy5aze701.exe
c:\windows\system32\99059worz3e2.ocx
c:\windows\system32\9941zspy651.dll
c:\windows\system32\996bad5ware7z8.bin
c:\windows\system32\9972zp59c7.cpl
c:\windows\system32\99z9spy6c5.bin
c:\windows\system32\9b9spa5se119z.bin
c:\windows\system32\9z00vir5059.cpl
c:\windows\system32\9z302troj35.cpl
c:\windows\system32\9z695hacktool101.ocx
c:\windows\system32\a3s9zware11905.dll
c:\windows\system32\a5zaddware2739.exe
c:\windows\system32\b65z9dware124.bin
c:\windows\system32\b955ownloadez286.cpl
c:\windows\system32\de9download5r9325z.bin
c:\windows\system32\drivers\gxvxccvgvyptpelppwfyicxyjkrpxsintvudy.sys
c:\windows\system32\drivers\gxvxcnawvsvubdixiqojtkklmubrosaeqfsig.sys
c:\windows\system32\drivers\gxvxcnrvalkiqlrkmqlrscdpuiurfwapvswve.sys
c:\windows\system32\drivers\gxvxcosuwgkhlpsuoiorqspujwkyhitpiyoul.sys
c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
c:\windows\system32\e3cdowzloade91475.exe
c:\windows\system32\e4czpars9579.cpl
c:\windows\system32\f99zteal2785.exe
c:\windows\system32\gxvxccnsspmumxnoxygrsesxwtyuowqqvyeqn.dll
c:\windows\system32\gxvxcjmymacferarddxgeoqdtfpbhkexpujyo.dll
c:\windows\system32\z0498s5y45d9.exe
c:\windows\system32\z1329n9t5a-virus26b.cpl
c:\windows\system32\z17385pamb9t5e7.dll
c:\windows\system32\z1993spy529.exe
c:\windows\system32\z2629not-a-virus605.bin
c:\windows\system32\z2905spy1f2.exe
c:\windows\system32\z2955tro97fb.cpl
c:\windows\system32\z4998virus5cf.exe
c:\windows\system32\z4d55par9e198.bin
c:\windows\system32\z502b9ckdoor2433.bin
c:\windows\system32\z5289ownloader996.ocx
c:\windows\system32\z532addwa9e2531.dll
c:\windows\system32\z5475not9a-virus454.exe
c:\windows\system32\z5721s9ambot1e05.ocx
c:\windows\system32\z5865t9oj35.ocx
c:\windows\system32\z7136not5a9virus3fb.exe
c:\windows\system32\z8465roj2e09.cpl
c:\windows\system32\z8473vi5us94b.exe
c:\windows\system32\z919t9ief2519.dll
c:\windows\system32\z9956spambo5334.ocx
c:\windows\system32\z9edth5ef2796.bin
c:\windows\system32\zc57vir2459.exe
c:\windows\system32\zcffste5l2194.exe
c:\windows\system32\zd31dow59oader1394.cpl
c:\windows\system32\zddaspa9se505.dll
c:\windows\system32\zde9s5eal2951.exe
c:\windows\system32\zeeb9parse2957.cpl
c:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job
c:\windows\z138thre9t59857.cpl
c:\windows\z1fth9ef19815.bin
c:\windows\z2539spy643.bin
c:\windows\z2953troj4e39.exe
c:\windows\z309vir9s5105.dll
c:\windows\z325a9kdoor258.cpl
c:\windows\z35035pambot2c39.ocx
c:\windows\z359spa5se1298.ocx
c:\windows\z359spy655.ocx
c:\windows\z35f9ac5door2996.exe
c:\windows\z512s95550.exe
c:\windows\z5296wor5216.dll
c:\windows\z5327t9oj5d8.bin
c:\windows\z589teal2398.ocx
c:\windows\z6651virusc9.cpl
c:\windows\z732not-a-v59us4e9.dll
c:\windows\z844addw5re25549.cpl
c:\windows\z99ebac5door669.bin
c:\windows\za0ba5kdoo9586.cpl
c:\windows\zc17v9r583.exe
c:\windows\zd5ste9l2541.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_GXVXCSERV.SYS


((((((((((((((((((((((((( Files Created from 2009-05-03 to 2009-06-03 )))))))))))))))))))))))))))))))
.

2009-08-04 04:54 . 2009-08-04 04:54 5619 ----a-w- c:\windows\system32\2z4439py5.dll
2009-06-03 22:15 . 2009-06-03 22:15 361472 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\OneCare Protection\LocalCopy\{995E55E8-E724-4913-5D35-F2FDBFD1C3FE}-tempo-setup2.exe
2009-06-03 22:15 . 2009-06-03 22:15 361472 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\OneCare Protection\LocalCopy\{F267AA9E-64C6-7D0F-5356-FBDE2CC7A2CD}-tempo-setup2.exe
2009-06-03 17:44 . 2009-06-03 18:06 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-03 17:07 . 2009-06-03 17:07 -------- d-----w- c:\program files\Trend Micro
2009-06-03 16:52 . 2009-05-26 12:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-03 16:52 . 2009-06-03 16:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-03 16:52 . 2009-06-03 16:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-03 16:52 . 2009-05-26 12:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-03 16:41 . 2008-12-11 07:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-06-03 16:40 . 2009-03-06 15:45 130424 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-06-03 16:40 . 2008-12-18 11:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-06-03 16:40 . 2009-06-03 16:41 -------- d-----w- c:\program files\Common Files\PC Tools
2009-06-03 16:40 . 2008-12-10 11:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-06-03 16:40 . 2009-06-03 17:44 -------- d-----w- c:\program files\Spyware Doctor
2009-06-03 16:40 . 2009-06-03 16:40 -------- d-----w- c:\documents and settings\RICHARD\Application Data\PC Tools
2009-06-03 16:40 . 2009-06-03 16:40 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-06-02 23:41 . 2009-06-02 23:41 -------- d-----w- c:\program files\PlayAllDVD
2009-06-02 23:37 . 2009-06-02 23:37 -------- d-----w- c:\program files\WinBlueSoft Software
2009-06-02 18:20 . 2009-06-02 18:20 -------- d-----w- c:\documents and settings\RICHARD\Application Data\UseNeXT
2009-06-02 18:20 . 2009-06-02 18:20 -------- d-----w- c:\program files\UseNeXT
2009-06-01 23:06 . 2009-06-01 23:07 -------- d-----w- c:\documents and settings\RICHARD\Application Data\TigerPlayer
2009-06-01 23:05 . 2009-06-01 23:05 -------- d-----w- c:\program files\MpcStar
2009-05-31 21:42 . 2009-05-31 21:42 390664 ----a-w- c:\documents and settings\RICHARD\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
2009-05-29 03:35 . 2008-11-05 09:14 1048576 ----a-w- c:\documents and settings\RICHARD\Application Data\Mozilla\Firefox\Profiles\c5kqd84s.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}-trash\components\IBitCometExtension.dll
2009-05-27 16:37 . 2009-05-27 16:37 -------- d-----w- c:\program files\DivxFree
2009-05-23 12:04 . 2009-05-23 12:04 -------- d-----w- c:\program files\UltraVideo
2009-05-20 14:44 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-05-20 14:44 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-05-20 14:44 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-05-20 14:44 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-05-20 14:44 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-05-20 14:44 . 2009-02-09 12:10 729088 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-05-20 14:44 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-20 14:44 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-05-20 14:44 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-05-20 14:42 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-05-20 14:42 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-05-20 14:40 . 2008-04-14 00:11 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2009-05-20 14:40 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2009-05-20 14:40 . 2008-04-13 18:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2009-05-20 14:40 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

PART 4

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-03 17:57 . 2007-07-17 17:52 -------- d-----w- c:\program files\Java
2009-06-03 17:34 . 2006-10-14 15:14 -------- d-----w- c:\program files\BitComet
2009-06-02 17:33 . 2007-09-16 16:44 -------- d-----w- c:\program files\Microsoft Windows OneCare Live
2009-05-27 22:38 . 2006-09-23 16:57 -------- d-----w- c:\program files\Windows Media Connect 2
2009-05-26 22:52 . 2008-09-23 18:24 -------- d-----w- c:\program files\Nokia
2009-05-25 19:20 . 2006-09-13 17:34 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-03-06 14:22 . 2002-08-29 20:00 284160 ----a-w- c:\windows\system32\pdh.dll
2009-03-05 23:39 . 2009-03-05 23:39 3483 ----a-w- c:\windows\18557notza-vi9usc.bin
2003-12-19 19:36 . 2006-09-23 17:05 40960 ----a-w- c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"AGEIA PhysX SysTray"="c:\program files\AGEIA Technologies\TrayIcon.exe" [2006-03-20 331776]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 376912]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 517768]
"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2009-03-22 63864]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-01 185896]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-12-08 1173384]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2006-08-11 17920]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-08-11 18944]
"C-Media Mixer"="Mixer.exe" - c:\windows\mixer.exe [2002-10-15 1818624]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-12-05 1626112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-9-23 155648]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Autodesk\\backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\backburner\\server.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9879:TCP"= 9879:TCP:BitComet 9879 TCP
"9879:UDP"= 9879:UDP:BitComet 9879 UDP

R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [23/09/2006 18:09 9344]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [03/06/2009 17:40 130424]
R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [22/03/2009 10:59 24936]
R2 sfmgr;CaReTaKeR-CT NetMgr 1.2.1;c:\sfmgr\sfmgr.exe [15/03/2007 13:16 171008]
S3 krdpdre;krdpdre;\??\c:\docume~1\RICHARD\LOCALS~1\Temp\krdpdre.sys --> c:\docume~1\RICHARD\LOCALS~1\Temp\krdpdre.sys [?]
S3 ni_avs;ni_avs;c:\windows\system32\Drivers\ni_avs.sys --> c:\windows\system32\Drivers\ni_avs.sys [?]
S3 ni_usb;ni_usb;c:\windows\system32\Drivers\ni_usb.sys --> c:\windows\system32\Drivers\ni_usb.sys [?]
S3 USB22LDR;M-Audio USB MIDISPORT 2x2 Loader;c:\windows\system32\drivers\usb22ldr.sys [03/04/2008 20:45 20936]
.
Contents of the 'Scheduled Tasks' folder

2009-06-03 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNfox000
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\RICHARD\Application Data\Mozilla\Firefox\Profiles\c5kqd84s.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\RICHARD\Application Data\Mozilla\Firefox\Profiles\c5kqd84s.default\extensions\bkmrksync@nokia.com\components\BkMrkExt.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npstrlnk.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-03 23:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-823518204-725345543-910916986-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:3c,9c,6c,23,db,93,6c,2e,e2,51,78,77,2a,83,44,ea,ac,a2,8d,7a,5c,d2,9b,
d3,4c,fe,7c,18,bb,af,e8,59,c4,98,ca,57,50,a5,ea,eb,97,d2,f8,b2,09,8c,85,b4,\
"??"=hex:d5,b6,d8,0c,d2,ce,a5,b1,06,09,a9,bf,cb,2d,2a,b8
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(644)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-06-03 23:45
ComboFix-quarantined-files.txt 2009-06-03 22:44

Pre-Run: 1,079,619,584 bytes free
Post-Run: 1,551,650,816 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

944 --- E O F --- 2009-05-21 18:25

Sorry...ended up being 4 parts (too big otherwise).

Hello.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
krdpdre

File::
c:\windows\system32\2z4439py5.dll
c:\windows\18557notza-vi9usc.bin

Folder::
c:\program files\BitComet

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9879:TCP"=-
"9879:UDP"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

As requested,

PART 1

ComboFix 09-06-01.03 - RICHARD 04/06/2009 19:16.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.768.274 [GMT 1:00]
Running from: c:\documents and settings\RICHARD\My Documents\Combo-Fix.exe
Command switches used :: c:\documents and settings\RICHARD\Desktop\CFScript.txt
AV: Windows Live OneCare *On-access scanning disabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: Windows Live OneCare Firewall *enabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}
* Created a new restore point

FILE ::
"c:\windows\18557notza-vi9usc.bin"
"c:\windows\system32\2z4439py5.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\BitComet
c:\program files\BitComet\archive\026b734a6c09566b099c585a137ee5cca05804bf.torrent
c:\program files\BitComet\archive\0803c71c797899c8017202b78b58e8f145f5b5fa.torrent
c:\program files\BitComet\archive\08193886f9255d5327e9c134031b648ad1b052a3.torrent
c:\program files\BitComet\archive\08690f9225f3abc8911d5b130b5e5ad726575c35.torrent
c:\program files\BitComet\archive\1d75186d1cda9b0ad5de0b7c827eccac2e5ffbbf.torrent
c:\program files\BitComet\archive\2043305eb4cd1b607b1425a13a61ec08475c24e7.torrent
c:\program files\BitComet\archive\20980706e94939927a477f5e57848ff44ab06323.torrent
c:\program files\BitComet\archive\254e07b841c619d3f6e3c7c8de0f5de70f338f41.torrent
c:\program files\BitComet\archive\37ee80c96c5e4129644639c37a08c7d87a5602a4.torrent
c:\program files\BitComet\archive\3b8855f925b3c50954dd45e42ce8d1f2f5ff77cc.torrent
c:\program files\BitComet\archive\3cff8a9386ddea42fdca6713c5be21f31e133fa6.torrent
c:\program files\BitComet\archive\44fe0c4baf37c8aee14531f17b2ae2c6d44ff1e7.torrent
c:\program files\BitComet\archive\49f205efeb5c47101abd8661a7d4b9b4e9814ed6.torrent
c:\program files\BitComet\archive\4a723824b6c918f35dcf5051b681f5073e665f7c.torrent
c:\program files\BitComet\archive\5992d15d6971a2a760046f097a95b198ac75c89d.torrent
c:\program files\BitComet\archive\5ddeb6d8733afc6c694708bc0de8ac5fa3b10463.torrent
c:\program files\BitComet\archive\6294ce1faff71917dd61ca5d17c24ad6504b89e7.torrent
c:\program files\BitComet\archive\694a78b3e29243e14cbe8fc7a3ea88d6749d4fab.torrent
c:\program files\BitComet\archive\717352e6f7e4bf8e50238ef63dea35e74dfb414c.torrent
c:\program files\BitComet\archive\74da1a9e9808d6eb7f074eae8030da420555f4a5.torrent
c:\program files\BitComet\archive\77fddf3cb521ebeafdffd2b7041f6c005a3d30ba.torrent
c:\program files\BitComet\archive\8877049e7b5ba7ae8991c1b1c2d4d661d48f276f.torrent
c:\program files\BitComet\archive\8e8b948991492b63adcb243d3e234c22e3c06d2b.torrent
c:\program files\BitComet\archive\9804a30e8bc82e35e138b978c08b94f78bb76ea1.torrent
c:\program files\BitComet\archive\9af4aa7155d078421b8a0ee9012605ad06b656f9.torrent
c:\program files\BitComet\archive\a296ec281b02cd90d67fc6b09fc762dbf8846781.torrent
c:\program files\BitComet\archive\a3a950dca92fcf5ea5600a8828fb37f028eae062.torrent
c:\program files\BitComet\archive\b1b2a1f823c6713521a30a014de22c58ff712f3b.torrent
c:\program files\BitComet\archive\b2e475d3589f25a7058b5b706c4ff77a8386a1c2.torrent
c:\program files\BitComet\archive\bab9be2bd97305590f55426bd056577c5ebec66a.torrent
c:\program files\BitComet\archive\bb8e7dcea1ede29b3d481a324e23c56fb00b4711.torrent
c:\program files\BitComet\archive\bc0dc903887c84003f7dba88d1301e43a16e6374.torrent
c:\program files\BitComet\archive\c1704497052819cec29094d14fa962cec31e95f5.torrent
c:\program files\BitComet\archive\ccca3d95e6f6bbc59e49f974d8e4b9b91b095ecc.torrent
c:\program files\BitComet\archive\d13b27f5f3926de81f3dae28b1ba2ef152607489.torrent
c:\program files\BitComet\archive\db7d80cc8f7fac96ce0ee5fc75fe7c5b2f9b3090.torrent
c:\program files\BitComet\archive\e11af9d1cdf60edc55547cfaf238146c39e8f19c.torrent
c:\program files\BitComet\archive\e53437a9859d83300fcb171101c827a7283bdf0b.torrent
c:\program files\BitComet\archive\e9ae325afd64c46307999a415e528dbc328316b4.torrent
c:\program files\BitComet\archive\ed44d05e6e61b8f7e4ae5bd022e00e742f6fa48c.torrent
c:\program files\BitComet\archive\f9ff909298d7af5ea4c9614d8ec3f57599786226.torrent
c:\program files\BitComet\archive\fb80c966e12c437500c1a212c77cb7f95c5dadc8.torrent
c:\program files\BitComet\BitComet.xml
c:\program files\BitComet\Downloads.xml
c:\program files\BitComet\Downloads.xml.bak
c:\program files\BitComet\rules\dhtnodes.dat
c:\program files\BitComet\rules\ipfilter.dat
c:\program files\BitComet\share\my_shares.xml
c:\program files\BitComet\tools\CRASH.DMP
c:\program files\BitComet\tools\CRASHLOG.DAT
c:\program files\BitComet\tools\CRASHLOG.TXT
c:\program files\BitComet\Torrents\[Suze Randall] - The Young & The Raunchy - (Jana Cova, Cytherea, Taylor Rain).avi.torrent
c:\program files\BitComet\Torrents\Angels And Demons 2009 Cam(A Commission-Kvcd by JRNAD).torrent
c:\program files\BitComet\Torrents\Angels And Demons 2009 Cam(A Commission-Kvcd by JRNAD).xml
c:\program files\BitComet\Torrents\Barely.Legal.18th.Birthday.3.XXX.DVDRip.XviD-NYMPHO.torrent
c:\program files\BitComet\Torrents\Barely.Legal.18th.Birthday.3.XXX.DVDRip.XviD-NYMPHO[0].torrent
c:\program files\BitComet\Torrents\BitComet_1.12_setup.exe.torrent
c:\program files\BitComet\Torrents\BitComet_1.12_setup.exe.xml
c:\program files\BitComet\Torrents\Broken.Flowers[2005].DVDRIP.Mentality.avi.torrent
c:\program files\BitComet\Torrents\Broken.Flowers[2005].DVDRIP.Mentality.avi.xml
c:\program files\BitComet\Torrents\Coraline - (2009) DvDrip-XviD-BeStDivX.torrent
c:\program files\BitComet\Torrents\Coraline.2009.DVDRip.XviD-ARROW-MFDss.torrent
c:\program files\BitComet\Torrents\Coraline.2009.DVDRip.XviD-ARROW-MFDss.xml
c:\program files\BitComet\Torrents\Coraline.CAM.XviD-nsiervi.torrent
c:\program files\BitComet\Torrents\Coraline_NTSC_PS2DVD-STRiKE.torrent
c:\program files\BitComet\Torrents\Cum Swapping Girlfriends.torrent
c:\program files\BitComet\Torrents\Cum Swapping Girlfriends.xml
c:\program files\BitComet\Torrents\Drag me to Hell[2009][DvdScreener].wmv.torrent
c:\program files\BitComet\Torrents\Drag me to Hell[2009][DvdScreener].wmv.xml
c:\program files\BitComet\Torrents\Duplicity (2009) TS DivXNL-Team.torrent
c:\program files\BitComet\Torrents\Duplicity.2009.Eng.Telesync.XviD-LTT.torrent
c:\program files\BitComet\Torrents\Duplicity.2009.Eng.Telesync.XviD-LTT.xml
c:\program files\BitComet\Torrents\FairUse4WM+Commander.rar.torrent
c:\program files\BitComet\Torrents\Fringe Season1 (XviD asd) EnglishV+NapisyPL - www.com.torrent
c:\program files\BitComet\Torrents\Fringe Season1 (XviD asd) EnglishV+NapisyPL - www.com.xml
c:\program files\BitComet\Torrents\Frost Nixon 2009 DVDRip-FTR.torrent
c:\program files\BitComet\Torrents\Frost Nixon 2009 DVDRip-FTR.xml
c:\program files\BitComet\Torrents\Frost Nixon[2008]DvDrip[Eng]-FXG.torrent
c:\program files\BitComet\Torrents\Frozen.River.2008.LiMiTED.DVDRip.XviD-iFN.torrent
c:\program files\BitComet\Torrents\Gomorrah.2008.DVDRip.XviD.AC3-iAPULA.[www.usabit.com].torrent
c:\program files\BitComet\Torrents\Gomorrah.2008.DVDRip.XviD.AC3-iAPULA.[www.usabit.com].xml
c:\program files\BitComet\Torrents\I.Love.You,.Man!2009.torrent
c:\program files\BitComet\Torrents\I.Love.You,.Man!2009.xml
c:\program files\BitComet\Torrents\Lesbian.Triangles.13.[English].XXX.DVDRiP.XviD-[WwW.TorrentesX.CoM].torrent
c:\program files\BitComet\Torrents\license.exe.xml
c:\program files\BitComet\Torrents\Madagascar-Escape.2.Africa[2008]DvDrip-aXXo.torrent
c:\program files\BitComet\Torrents\Madagascar-Escape.2.Africa[2008]DvDrip-aXXo.xml
c:\program files\BitComet\Torrents\Milk.DVDRip.XviD-DiAMOND[SpaEstrenos].torrent
c:\program files\BitComet\Torrents\Milk.DVDRip.XviD-DiAMOND[SpaEstrenos].xml
c:\program files\BitComet\Torrents\Monsters.vs.Aliens.torrent
c:\program files\BitComet\Torrents\Monsters.vs.Aliens.xml
c:\program files\BitComet\Torrents\mpcstar_3.8_setup.exe.torrent
c:\program files\BitComet\Torrents\mpcstar_3.8_setup.exe.xml
c:\program files\BitComet\Torrents\P2.torrent
c:\program files\BitComet\Torrents\Private British MILFs XXX [DVDRip][English][www.zonatorrent.com].torrent
c:\program files\BitComet\Torrents\Private British MILFs XXX [DVDRip][English][www.zonatorrent.com][0].torrent
c:\program files\BitComet\Torrents\Revolutionary Road[2008]DvDrip[Eng]-FXG.torrent
c:\program files\BitComet\Torrents\Revolutionary Road[2008]DvDrip[Eng]-FXG.xml
c:\program files\BitComet\Torrents\Slumdog.Millionaire.DVDSCR.XViD-GENUiNE.torrent
c:\program files\BitComet\Torrents\State.of.Play!.2009.torrent
c:\program files\BitComet\Torrents\State.of.Play!.2009.xml
c:\program files\BitComet\Torrents\State.of.Play.2009.CAM.DivX-LTT.torrent
c:\program files\BitComet\Torrents\State.of.Play.2009.CAM.DivX-LTT.xml
c:\program files\BitComet\Torrents\The Chronicles of Narnia - DVDRIP.XVID.AC3.DragonRipper624.torrent
c:\program files\BitComet\Torrents\The Chronicles of Narnia - DVDRIP.XVID.AC3.DragonRipper624.xml
c:\program files\BitComet\Torrents\The Chronicles of Narnia_The Lion, the Witch and the Wardrobe 2005 H264 DVDRip 5.1ch (Extended Edition).torrent
c:\program files\BitComet\Torrents\The International[2009]DvDrip[Eng]-FXG.torrent
c:\program files\BitComet\Torrents\The International[2009]DvDrip[Eng]-FXG.xml
c:\program files\BitComet\Torrents\The Wrestler.2009.DVDSCR VOSTFR Xvid -Guiks.Trackersurfer.avi.torrent
c:\program files\BitComet\Torrents\The.Chronicles.Of.Narnia-The.Lion.the.Witch.and.the.Wardrobe[2005]DvDrip[Eng]-aXXo.torrent
c:\program files\BitComet\Torrents\The.Chronicles.Of.Narnia.The.Lion.The.Witch.And.The.Wardrobe.DVDRip.XviD.SweSub-Pitbull.avi.torrent
c:\program files\BitComet\Torrents\The.Chronicles.Of.Narnia.The.Lion.The.Witch.And.The.Wardrobe.DVDRip.XviD.SweSub-Pitbull.avi.xml
c:\program files\BitComet\Torrents\The.Wrestler[2008]DvDrip-MAX.torrent
c:\program files\BitComet\Torrents\The.Wrestler[2008]DvDrip-MAX.xml
c:\program files\BitComet\Torrents\UP.DvDRiP(2009).torrent
c:\program files\BitComet\Torrents\UP.DvDRiP(2009).xml
c:\program files\BitComet\Torrents\X-Men.Origins.Wolverine.2009.WORKPRINT.XviD-NoGRP.torrent
c:\program files\BitComet\Torrents\X-Men.Origins.Wolverine.2009.WORKPRINT.XviD-NoGRP.xml
c:\windows\18557notza-vi9usc.bin
c:\windows\system32\2z4439py5.dll

PART 2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_KRDPDRE
-------\Service_krdpdre


((((((((((((((((((((((((( Files Created from 2009-05-04 to 2009-06-04 )))))))))))))))))))))))))))))))
.

2009-06-03 22:15 . 2009-06-03 22:15 361472 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\OneCare Protection\LocalCopy\{995E55E8-E724-4913-5D35-F2FDBFD1C3FE}-tempo-setup2.exe
2009-06-03 22:15 . 2009-06-03 22:15 361472 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\OneCare Protection\LocalCopy\{F267AA9E-64C6-7D0F-5356-FBDE2CC7A2CD}-tempo-setup2.exe
2009-06-03 17:44 . 2009-06-04 18:08 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-03 17:07 . 2009-06-03 17:07 -------- d-----w- c:\program files\Trend Micro
2009-06-03 16:52 . 2009-05-26 12:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-03 16:52 . 2009-06-03 16:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-03 16:52 . 2009-06-03 16:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-03 16:52 . 2009-05-26 12:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-03 16:41 . 2008-12-11 07:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-06-03 16:40 . 2009-03-06 15:45 130424 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-06-03 16:40 . 2008-12-18 11:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-06-03 16:40 . 2009-06-03 16:41 -------- d-----w- c:\program files\Common Files\PC Tools
2009-06-03 16:40 . 2008-12-10 11:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-06-03 16:40 . 2009-06-03 17:44 -------- d-----w- c:\program files\Spyware Doctor
2009-06-03 16:40 . 2009-06-03 16:40 -------- d-----w- c:\documents and settings\RICHARD\Application Data\PC Tools
2009-06-03 16:40 . 2009-06-03 16:40 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-06-02 23:41 . 2009-06-02 23:41 -------- d-----w- c:\program files\PlayAllDVD
2009-06-02 23:37 . 2009-06-02 23:37 -------- d-----w- c:\program files\WinBlueSoft Software
2009-06-02 18:20 . 2009-06-02 18:20 -------- d-----w- c:\documents and settings\RICHARD\Application Data\UseNeXT
2009-06-02 18:20 . 2009-06-02 18:20 -------- d-----w- c:\program files\UseNeXT
2009-06-01 23:06 . 2009-06-01 23:07 -------- d-----w- c:\documents and settings\RICHARD\Application Data\TigerPlayer
2009-06-01 23:05 . 2009-06-01 23:05 -------- d-----w- c:\program files\MpcStar
2009-05-31 21:42 . 2009-05-31 21:42 390664 ----a-w- c:\documents and settings\RICHARD\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
2009-05-29 03:35 . 2008-11-05 09:14 1048576 ----a-w- c:\documents and settings\RICHARD\Application Data\Mozilla\Firefox\Profiles\c5kqd84s.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}-trash\components\IBitCometExtension.dll
2009-05-27 16:37 . 2009-05-27 16:37 -------- d-----w- c:\program files\DivxFree
2009-05-23 12:04 . 2009-05-23 12:04 -------- d-----w- c:\program files\UltraVideo
2009-05-20 14:44 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-05-20 14:44 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-05-20 14:44 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-05-20 14:44 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-05-20 14:44 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-05-20 14:44 . 2009-02-09 12:10 729088 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-05-20 14:44 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-20 14:44 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-05-20 14:44 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-05-20 14:42 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-05-20 14:42 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-05-20 14:40 . 2008-04-14 00:11 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2009-05-20 14:40 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2009-05-20 14:40 . 2008-04-13 18:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2009-05-20 14:40 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-04 18:09 . 2007-09-16 16:44 -------- d-----w- c:\program files\Microsoft Windows OneCare Live
2009-06-03 17:57 . 2007-07-17 17:52 -------- d-----w- c:\program files\Java
2009-05-27 22:38 . 2006-09-23 16:57 -------- d-----w- c:\program files\Windows Media Connect 2
2009-05-26 22:52 . 2008-09-23 18:24 -------- d-----w- c:\program files\Nokia
2009-05-25 19:20 . 2006-09-13 17:34 -------- d--h--w- c:\program files\InstallShield Installation Information
2003-12-19 19:36 . 2006-09-23 17:05 40960 ----a-w- c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-06-03_22.42.55 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-04 18:25 . 2009-06-04 18:25 16384 c:\windows\Temp\Perflib_Perfdata_d0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"AGEIA PhysX SysTray"="c:\program files\AGEIA Technologies\TrayIcon.exe" [2006-03-20 331776]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 376912]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 517768]
"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2009-03-22 63864]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-01 185896]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-12-08 1173384]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2006-08-11 17920]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-08-11 18944]
"C-Media Mixer"="Mixer.exe" - c:\windows\mixer.exe [2002-10-15 1818624]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-12-05 1626112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-9-23 155648]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Autodesk\\backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\backburner\\server.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [23/09/2006 18:09 9344]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [03/06/2009 17:40 130424]
R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [22/03/2009 10:59 24936]
R2 sfmgr;CaReTaKeR-CT NetMgr 1.2.1;c:\sfmgr\sfmgr.exe [15/03/2007 13:16 171008]
S3 ni_avs;ni_avs;c:\windows\system32\Drivers\ni_avs.sys --> c:\windows\system32\Drivers\ni_avs.sys [?]
S3 ni_usb;ni_usb;c:\windows\system32\Drivers\ni_usb.sys --> c:\windows\system32\Drivers\ni_usb.sys [?]
S3 USB22LDR;M-Audio USB MIDISPORT 2x2 Loader;c:\windows\system32\drivers\usb22ldr.sys [03/04/2008 20:45 20936]
.
Contents of the 'Scheduled Tasks' folder

2009-06-04 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNfox000
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\RICHARD\Application Data\Mozilla\Firefox\Profiles\c5kqd84s.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\RICHARD\Application Data\Mozilla\Firefox\Profiles\c5kqd84s.default\extensions\bkmrksync@nokia.com\components\BkMrkExt.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npstrlnk.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-04 19:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-823518204-725345543-910916986-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:3c,9c,6c,23,db,93,6c,2e,e2,51,78,77,2a,83,44,ea,ac,a2,8d,7a,5c,d2,9b,
d3,4c,fe,7c,18,bb,af,e8,59,c4,98,ca,57,50,a5,ea,eb,97,d2,f8,b2,09,8c,85,b4,\
"??"=hex:d5,b6,d8,0c,d2,ce,a5,b1,06,09,a9,bf,cb,2d,2a,b8
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(640)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3344)
c:\windows\system32\ctagent.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
c:\windows\system32\DVDRAMSV.exe
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
c:\program files\Microsoft Windows OneCare Live\winss.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\wscntfy.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\searchprotocolhost.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\windows\system32\searchfilterhost.exe
.
**************************************************************************
.
Completion time: 2009-06-04 19:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-04 18:28
ComboFix2.txt 2009-06-03 22:45

Pre-Run: 1,525,243,904 bytes free
Post-Run: 1,425,149,952 bytes free

327 --- E O F --- 2009-05-21 18:25

Hello.

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNfox000
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?

Hi,

I have done as you have requested and I now have access to my computer & drives again, thank you, really appreciate your time doing this.

Two things:

1. I still have the WinBluSoft Warning as my wallpaper

2. I am getting error messages when I try to open the MalwareBytes software? Run time error (0) & run time error (440)....

Am I malware, virus free or are the other steps I need to take?

Lastly, I thought Windows Live Onecare was powerful enough to stop intrusions like this?

Once again thanks for helping out.

Hello.
The Desktp background just needs changing back to default, it's just a setting that wasn't removed.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

• MalwareBytes Anti-Malware
  

Then reboot!

After reboot, download the MBAM Cleaner from here.

Allow it to work and it will want to reboot again, allow it to.

Then try installing MBAM again.

Hey Belahzur,

My PC is now back to (if not better given what has been removed malware-wise) it's previous state.

Thank you very much.

I will be making a donation to you guys for all your help.

Cheers